Let’s Encrypt is a new Certificate Authority (CA) that provides an easy way to obtain and install TLS/SSL certificates, thereby, enabling encrypted HTTPS on web servers. It makes it easy by providing a software client, Certbot, that can automate most of all the required steps. At present, the whole process of getting and installing a certificate is fully automated on both Apache and Nginx web servers.
Now, we will show, how you can use Certbot to obtain a free SSL certificate and set it up with Nginx on Ubuntu 14.04 LTS. This tutorial is also tested for Ubuntu 16 LTS. We will also show you how to automatically renew your SSL certificate.
Instead of creating a separate server block file, we will use the default Nginx configuration file. However, its a good practice and often recommended by experts to use new Nginx server block files. Creating new files will help to avoid some common mistakes and maintenance will be easier.
Before you start:
We are assuming (1)you have Ubuntu 14.04 LTS server running with a non-root user who has sudo privileges. (2) have nginx server installed. (3) your domain is set up and DNS record points your domain to the public IP address. This is required because Let’s Encrypt validates your domain ownership in this way.
Step 1 | Installing Certbot
Certbot developers maintain their own Ubuntu software repository with up-to-date versions of the software. This is because, Certbot is in such active development it’s worth using this repository to install a newer Certbot than provided by Ubuntu.
First, add the repository:
sudo add-apt-repository ppa:certbot/certbot
You’ll need to press ENTER to accept. Then update the package list:
sudo apt-get install python-certbot-nginx
This will do all the things for you. We just now need to Configure Nginx and then we will obtain a new SSL certificate.
Step 2 | Setting up Nginx
Certbot needs to be abe to find the exact server block in your config. And it does this by looking for a server_name directive that matches the domain you’re requesting a certificate for. If you’re nginx is just installed, you can update the default config file:
sudo nano /etc/nginx/sites-available/default
Now find the existing server_name line. After the server_name it may have any values or an underscore. Just replace the value with your domain name:
server_name example.com www.example.com;
Save the file and test if the syntax for the configuration file is correct:
sudo nginx -t
If that runs with no errors, reload Nginx to load the new configuration:
sudo service nginx reload
Step 3 | Obtaining an SSL Certificate
Certbot features a variety of ways to obtain SSL certificates, through various plugins. The nginx plugin will take care of reconfiguring Nginx and reloading the config whenever necessary:
sudo certbot --nginx -d example.com -d www.example.com
This runs Certbox with Nginx plugin. Using -d to specify the names we’d like the certificate to be valid for.
If its first time, you will be prompted to enter and email adress and agree to the terms of service. After doing so, Certbot will communicate with the Let’s Encrypt server, then run a challenge to verify that you control the domain you’re requesting a certificate for.
If that’s successful, Certbox will ask if you’d like to configure HTTPS settings. Choose (2) Redirect – if you like to redirect all requests to HTTPS. Choose (1) No redirect – if you want to keep the configuration file unchanged.
You should then see a congratulation message of your new SSL certificate set up. You can now access your server with https:// and can see the green mark!